powtórz skan Combofixem dokładnie jak napisałem
masz uruchomić przy pomocy pliku CFScript.txt
ComboFix 08-11-18.A2 - Tomek 2008-11-23 17:47:01.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.656 [GMT 1:00]
Uruchomiony z: e:\torenty\ComboFix.exe
Użyto następujących komend :: e:\torenty\CFScript.txt
* Utworzono nowy punkt przywracania
UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA
.
((((((((((((((((((((((((( Pliki utworzone od 2008-10-23 do 2008-11-23 )))))))))))))))))))))))))))))))
.
2008-11-21 17:04 . 2008-11-21 17:04 29 --a------ c:\windows\system32\tdrugupd.tmp
2008-11-20 19:26 . 2008-11-20 19:27
2008-11-02 15:30 . 2008-11-02 15:30
2008-11-02 15:30 . 2008-11-02 15:30
2008-11-02 15:30 . 2008-11-02 15:30
2008-11-02 15:30 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-02 15:30 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-31 22:29 . 2008-10-31 22:29
2008-10-31 22:15 . 2008-10-31 22:15
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 15:23 --------- d-----w c:\program files\neostrada tp
2008-11-21 16:09 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2008-11-12 20:09 --------- d-----w c:\program files\BitComet
2008-09-28 17:53 --------- d–h--w c:\program files\InstallShield Installation Information
2008-09-28 17:53 --------- d-----w c:\program files\THQ
2008-09-08 14:42 258,048 ----a-w c:\windows\system32\libFLAC.dll
2008-09-08 14:41 892,928 ----a-w c:\windows\system32\iconv.dll
2008-09-08 14:41 456,192 ----a-w c:\windows\system32\libmplayer.dll
2008-09-08 14:41 3,569,152 ----a-w c:\windows\system32\libavcodec.dll
2008-09-08 14:41 119,296 ----a-w c:\windows\system32\libmpeg2_ff.dll
2008-09-08 14:39 79,360 ----a-w c:\windows\system32\mkzlib.dll
2008-09-08 14:39 755,027 ----a-w c:\windows\system32\xvidcore.dll
2008-09-08 14:39 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-08 14:39 23,552 ----a-w c:\windows\system32\mkunicode.dll
2008-09-08 14:39 2,041,363 ----a-w c:\windows\system32\x264vfw.dll
2008-09-08 14:39 163,840 ----a-w c:\windows\system32\ts.dll
2008-09-08 14:39 159,839 ----a-w c:\windows\system32\xvidvfw.dll
2008-09-08 14:39 159,744 ----a-w c:\windows\system32\mmfinfo.dll
2008-09-08 14:39 148,992 ----a-w c:\windows\system32\mkx.dll
2008-09-08 14:39 141,312 ----a-w c:\windows\system32\mp4.dll
2008-09-08 14:39 120,832 ----a-w c:\windows\system32\ogm.dll
2008-09-08 14:39 108,032 ----a-w c:\windows\system32\avi.dll
2007-12-19 16:46 77,824 ----a-w c:\program files\LFS_restart.exe
2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
2007-10-09 16:23 56 --sh–r c:\windows\system32\CD0CE156F6.sys
2007-10-09 16:23 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-11-21_21.17.34,50 )))))))))))))))))))))))))))))))))))))))))
.
-
2008-11-18 17:41:38 1,233,112 ----a-w c:\windows\system32\aswBoot.exe
-
2008-11-18 17:35:22 97,480 ----a-w c:\windows\system32\AvastSS.scr
-
2008-11-18 18:00:11 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
-
2008-11-18 18:04:36 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
-
2008-11-18 18:04:21 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
-
2008-11-18 18:01:09 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
-
2008-11-18 18:03:33 110,160 ----a-w c:\windows\system32\drivers\aswSP.sys
-
2008-11-18 18:01:23 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
-
2008-11-23 15:22:22 16,384 ----atw c:\windows\temp\Perflib_Perfdata_3b4.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{84583270-0414-5794-6430-5599ca323026}]
2008-11-23 15:09 53760 -rahs---- c:\program files\Common Files\System\admin s.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-11-17 68856]
“BitComet”=“c:\program files\BitComet\BitComet.exe” [2007-09-10 6338360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“c:\windows\System32\NvCpl.dll” [2007-04-12 8429568]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2008-11-18 81000]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\System32\CTFMON.EXE” [2002-09-20 13312]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“RunNarrator”=“Narrator.exe” [2001-10-26 c:\windows\system32\narrator.exe]
c:\documents and settings\Tomek\Menu Start\Programy\Autostart\
IPod Try Icon Lighting.exe [2008-11-23 34816]
c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Google XDesktop Lighting.exe [2008-11-23 34816]
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Google XDesktop Lighting.exe]
path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Google XDesktop Lighting.exe
backup=c:\windows\pss\Google XDesktop Lighting.exeCommon Startup
[HKLM~\startupfolder\C:^Documents and Settings^Tomek^Menu Start^Programy^Autostart^IPod Try Icon Lighting.exe]
path=c:\documents and settings\Tomek\Menu Start\Programy\Autostart\IPod Try Icon Lighting.exe
backup=c:\windows\pss\IPod Try Icon Lighting.exeStartup
[HKLM~\startupfolder\C:^Documents and Settings^Tomek^Menu Start^Programy^Autostart^userinit.exe]
path=c:\documents and settings\Tomek\Menu Start\Programy\Autostart\userinit.exe
backup=c:\windows\pss\userinit.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
–a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
–a------ 2006-12-23 17:05 143360 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
–a------ 2007-09-10 13:33 6338360 c:\program files\BitComet\BitComet.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTZDetec.exe]
--------- 2007-12-18 13:20 401408 c:\program files\Creative\Creative Media Lite\CTZDetec.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
-r------- 2006-10-30 13:44 1953792 c:\windows\system32\JMRaidSetup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2006-10-30 13:44 36864 c:\windows\JM\JMInsIDE.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
–a------ 2006-12-05 21:55 54832 c:\program files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
–a------ 2006-01-12 14:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
–a------ 2007-04-12 22:44 8429568 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
–a------ 2007-04-12 22:44 81920 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2006-11-23 14:10 56928 c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--------- 2006-07-13 06:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
-ra------ 2006-12-18 14:34 868352 c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
–a------ 2007-11-17 14:00 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOTASKBARICON]
--------- 2004-10-14 15:55 32768 c:\progra~1\NEOSTR~1\GestMAJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOWATCH]
--------- 2004-08-23 13:49 20480 c:\progra~1\NEOSTR~1\Watch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
–a------ 2007-04-12 22:44 1626112 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“UpdatesDisableNotify”=dword:00000001
“AntiVirusDisableNotify”=dword:00000001
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2008-11-21 110160]
R3 e4usbaw;USB ADSL2 WAN Adapter;c:\windows\System32\DRIVERS\e4usbaw.sys [2007-10-02 116992]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);c:\windows\System32\Drivers\e4ldr.sys [2007-10-02 64000]
S2 ptsrqtnt;ptsrqtnt;??\c:\windows\system32\drivers\ptsrqtnt.sys []
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 17:47:27
Windows 5.1.2600 Dodatek Service Pack. 1 NTFS
skanowanie ukrytych procesów …
skanowanie ukrytych wpisów autostartu …
skanowanie ukrytych plików …
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
Czas ukończenia: 2008-11-23 17:47:41
ComboFix-quarantined-files.txt 2008-11-23 16:47:39
ComboFix2.txt 2008-11-23 16:42:38
ComboFix3.txt 2008-11-23 13:02:50
ComboFix4.txt 2008-11-21 20:17:44
Przed: 70 142 885 888 bajtów wolnych
Po: 70,132,932,608 bajtów wolnych
157
probuje z sre
nic nie usunęło spróbuj inaczej
Pobierz i uruchom narzędzie The Avenger Zaznaczasz tekst podany do usunięcia na forum
kopiuj >> klikasz na Paste Script from Clipboard >> Execute >> Potwierdzasz i zgadzasz się na restart klikając OK.
Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt
Otwórz notatnik i wklej
zapisz jako plik.reg >> wszystkie pliki
powstanie plik o takiej ikonie
w który dwa razy klikniesz potwierdzisz chęć dodania do rejestru potem restart
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack. 1)
Fri Nov 21 21:02:55 2008
21:02:55: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack. 1)
Fri Nov 21 21:03:20 2008
21:03:20: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack. 1)
Fri Nov 21 21:03:56 2008
21:03:56: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack. 1)
Fri Nov 21 21:04:17 2008
21:04:17: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack. 1)
Sun Nov 23 19:05:27 2008
19:05:27: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack. 1)
Sun Nov 23 19:05:56 2008
19:05:56: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack. 1)
Sun Nov 23 19:06:21 2008
19:06:21: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File “C:\Program Files\Common Files\System\admin s.dll” deleted successfully.
File “C:\Program Files\Common Files\System\Adobe_Desk_Lighting.exe” deleted successfully.
File “C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Google XDesktop Lighting.exe” deleted successfully.
File “C:\Documents and Settings\Tomek\Menu Start\Programy\Autostart\IPod Try Icon Lighting.exe” deleted successfully.
Error: file “c:\windows\system32\drivers\ptsrqtnt.sys” not found!
Deletion of file “c:\windows\system32\drivers\ptsrqtnt.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
–> the object does not exist
Error: file “c:\windows\pss\Google XDesktop Lighting.exe” not found!
Deletion of file “c:\windows\pss\Google XDesktop Lighting.exe” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
–> the object does not exist
Error: file “c:\windows\pss\IPod Try Icon Lighting.exe” not found!
Deletion of file “c:\windows\pss\IPod Try Icon Lighting.exe” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
–> the object does not exist
Error: file “c:\documents and settings\Tomek\Menu Start\Programy\Autostart\userinit.exe” not found!
Deletion of file “c:\documents and settings\Tomek\Menu Start\Programy\Autostart\userinit.exe” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
–> the object does not exist
Error: file “c:\windows\pss\userinit.exe” not found!
Deletion of file “c:\windows\pss\userinit.exe” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
–> the object does not exist
Driver “ptsrqtnt” deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
teraz
Zastosuj Malwarebytes’ Anti-Malware http://cybertrash.pl/Tata/MBAM/Malwarebytes_%20Anti-Malware.html pełny skan - jak coś znajdzie to usuń - pokaż log
Pobierz nowy Combofix umieść go na pulpicie http://forum.dobreprogramy.pl/viewtopic.php?f=16&t=36654 przeskanuj system daj log
Pobierz System Repair Engineer
http://www.cybertrash.pl/images/tata/System%20Repair/System%20Repair%20Engineer.html
przeskanuj daj log
kolejność skanów jak podałem
dałem log na wklej to
:?:
gdzie
nic nie widze żadnego loga
[-X
wklejałem jako tomek1234123412
dałem log z combo na wklejto. jest teraz?
na forum podajesz link do strony na której jest log
powtórz skanowanie masz zrobić pełny skan >> jak coś znajdzie to usuń dopiero pokaż log
log Combo jest stary zrób nowy skan
to jest drugi scan malware pierwszy sie zaciał i zginał ale był trojan.TBO czy OBH jakos tak . jak go usuwałem to sie wszystko zacieło i zrobiłem nowy scan
Wklej do Notatnika:
File::
c:\program files\Common Files\System\admin s.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84583270-0414-5794-6430-5599ca323026}
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: ** Qoobox**.
Po tym nowy log z Combo oraz skan http://www.kaspersky.pl/virusscanner.html
No Ok - Czyszczenie rejestru:
RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177
możesz rejestr przelecieć albo
jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509
Opis RegCleaner - http://www.agavk.p9.pl/strony/progra_regcleaner.php
Zobacz - Obsługa jv16 PowerTools
Dla pewności - Wykonaj skan Dr. Web CureIt i jak nic nie będzie jest Ok
dr web…wykrył 2 wirusy
dałem do leczenia i co dalej